By Julie Goldstein. Intern Reign Nelson and I recently asked five UC Chief Information Security Officers how information security has changed in the last three to five years. Not surprisingly, we got five different answers!
Three themes emerged from our chats with Mike Corn, UCSD; Jeannie Larson, UCD Health; David Rusting, UC Systemwide; Isaac Straley, UCI; and John Virden, UCR:
- Institutions and individuals are increasingly turning to cloud and third-party services for everything from personal use to data centers and high-powered research computing. While this shift brings new opportunities and capabilities, it also brings new considerations. For example, how much visibility do we lose when external parties manage our services and data? How will we know our third-party services will protect our data, and how will we find out if something happens?
- The huge proliferation of Internet-connected devices and rapid changes in technology create new challenges. In addition, the dramatic increase in the number and type of Internet-connected devices is redefining the concept of perimeter security.
- Cybersecurity now is not only about prevention, it is also about resilience. We no longer think it is possible to prevent all attacks, and have to assume at some point that things will or have been breached. This has increased the focus on incident response and recovery as counterparts to prevention.
The CISOs shared a wide range of other thoughts and observations:
Corn mentioned that hacking is now being used in politics, such as the Russian hacking controversy during the 2016 presidential election, which is still under investigation today.
Virden expanded on resilience, commenting that the field is shifting focus from implementing layered protections, such as firewalls, intrusion detection, encryption, antivirus, etc., to being able to quickly respond if there’s an incident and getting things back to normal as soon as possible.
Larson said people mainly used to be worried about what happened to their information, but now we are also seeing kinetic events – cyber events that can cause dramatic real-world crises, such as power grid failures or airplane crashes. She believes these kinetic cyber events will change the way we view and respond to cyber events.
Straley said that threats have become worse: Bad actors are more organized, more motivated and, instead of individual actors, we are seeing more criminal and state organizations with greater capability. He also said the industry is finally figuring out how to make security usable for nontechnical people. Examples include Duo for multifactor authentication, NIST re-thinking password standards, more transparent encryption, and browsers enforcing some aspects of security.
Rusting noted that cybersecurity is more prevalent in the mainstream. Incidents tend to be high-visibility and high-profile. There’s also more attention to cybersecurity in politics. He noted that people increasingly realize that information security is not just about technology. It’s more about understanding and managing risk. It’s more of a business issue now, rather than just a technical problem.
Julie Goldstein is an IT security analyst at the UC Office of the President.